GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

fix: Add VAULT_CACERT to vault CLI commands in ensure_vault_unsealed

Browse source 
- vault status and unseal commands now use CA cert for TLS verification
- Fixes x509 certificate signed by unknown authority error
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-01-09 12:29:45 -03:00
parent 00acf1c76e
commit 115b2770cb
2 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
config/directory_config.json
View file

@ -1,7 +1,7 @@
{ {
"base_url": "http://localhost:8300", "base_url": "http://localhost:8300",
"default_org": { "default_org": {
"id": "354422182425657358", "id": "354797876871692302",
"name": "default", "name": "default",
"domain": "default.localhost" "domain": "default.localhost"
}, },
@ -13,8 +13,8 @@
"first_name": "Admin", "first_name": "Admin",
"last_name": "User" "last_name": "User"
}, },
"admin_token": "DNSctgJla8Kl3rWXa1Pk6vqbeiRGixGLfDhQ80m0fNI5H-5Lh4NJBs68bMwFFleh14Xtsto", "admin_token": "oU_rp4E81exidBP-jyaGcoKI1Ckoz-_U2O4BCMPmasKHktVw0ja2hP506-Bf-MD1JsqWl2A",
"project_id": "354422182828310542", "project_id": "",
"client_id": "354423066903773198", "client_id": "354797877458960398",
"client_secret": "hsUDIhIA0aaDD52mpzci12DR1ot8g7x1T1DoTJmVzIQ3Y273eDEWYFXiN6pcTVJf" "client_secret": "k4MLtkaRFuKkJwfubZCN5g7UZT8GJttzYb1Zjb48Xo3OesQPeBsVC3xjhsn8uvrL"
} }

13
src/core/bootstrap/mod.rs
View file

@ -633,6 +633,7 @@ impl BootstrapManager {
async fn ensure_vault_unsealed(&self) -> Result<()> { async fn ensure_vault_unsealed(&self) -> Result<()> {
let vault_init_path = self.stack_dir("conf/vault/init.json"); let vault_init_path = self.stack_dir("conf/vault/init.json");
let vault_addr = "https://localhost:8200"; let vault_addr = "https://localhost:8200";
let vault_cacert = "./botserver-stack/conf/system/certificates/ca/ca.crt";
if !vault_init_path.exists() { if !vault_init_path.exists() {
return Err(anyhow::anyhow!( return Err(anyhow::anyhow!(
@ -673,8 +674,8 @@ impl BootstrapManager {
} }
let status_cmd = format!( let status_cmd = format!(
"VAULT_ADDR={} {} status -format=json 2>&1", "VAULT_ADDR={} VAULT_CACERT={} {} status -format=json 2>&1",
vault_addr, vault_bin vault_addr, vault_cacert, vault_bin
); );
let status_output = safe_sh_command(&status_cmd) let status_output = safe_sh_command(&status_cmd)
.ok_or_else(|| anyhow::anyhow!("Failed to execute vault status command"))?; .ok_or_else(|| anyhow::anyhow!("Failed to execute vault status command"))?;
@ -714,8 +715,8 @@ impl BootstrapManager {
if sealed { if sealed {
info!("Unsealing Vault..."); info!("Unsealing Vault...");
let unseal_cmd = format!( let unseal_cmd = format!(
"VAULT_ADDR={} {} operator unseal {} >/dev/null 2>&1", "VAULT_ADDR={} VAULT_CACERT={} {} operator unseal {} >/dev/null 2>&1",
vault_addr, vault_bin, unseal_key vault_addr, vault_cacert, vault_bin, unseal_key
); );
let unseal_output = safe_sh_command(&unseal_cmd) let unseal_output = safe_sh_command(&unseal_cmd)
.ok_or_else(|| anyhow::anyhow!("Failed to execute vault unseal command"))?; .ok_or_else(|| anyhow::anyhow!("Failed to execute vault unseal command"))?;
@ -727,8 +728,8 @@ impl BootstrapManager {
tokio::time::sleep(tokio::time::Duration::from_millis(500)).await; tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
let verify_cmd = format!( let verify_cmd = format!(
"VAULT_ADDR={} {} status -format=json 2>/dev/null", "VAULT_ADDR={} VAULT_CACERT={} {} status -format=json 2>/dev/null",
vault_addr, vault_bin vault_addr, vault_cacert, vault_bin
); );
let verify_output = safe_sh_command(&verify_cmd) let verify_output = safe_sh_command(&verify_cmd)
.ok_or_else(|| anyhow::anyhow!("Failed to verify vault status"))?; .ok_or_else(|| anyhow::anyhow!("Failed to verify vault status"))?;